Skip to main content
Skip table of contents

NIST – Requirements

 

NIST 800-53 Rev 5

Control

AIE Rules & Alarms

Investigations

Summary Reports

AC-2

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: Vulnerability Detected Summary

AC-6

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-7

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv

CCF: Access Failure Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary

AC-10

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-16

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

 

 

                                                       

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AC-17

CCF: Abnormal Origin Location
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-18

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-20

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AC-21

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-23

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AC-24

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AC-25

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AU-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AU-4

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Time Sync Error Summary

AU-5

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Time Sync Error Summary

AU-6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AU-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AU-8

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Modified
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Time Sync Error Summary

AU-9

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

AU-10

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AU-11

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Physical Access Inv
CCF: Time Sync Error Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Physical Access Summary
CCF: Time Sync Error Summary

AU-12

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AU-13

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

AU-14

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

AU-15

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

CA-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

CA-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

CM-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

CM-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

CM-6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

CM-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

CM-8

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary

CM-11

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary

CM-12

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

CP-6

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Physical Access Summary
CCF: Time Sync Error Summary

CP-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

CP-9

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Time Sync Error Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: User Object Access Summary

CP-13

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

IA-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-8

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-9

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IP-2

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-10

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IP-4

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IA-12

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

IP-3

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv

CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary

IR-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

IR-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

IR-6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

IR-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

IR-9

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

IR-10

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

MA-2

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MA-3

CCF: Abnormal Amount of Data Transferred
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MA-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MA-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MA-6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MP-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MP-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MP-6

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv

CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary

PA-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MP-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

MP-8

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PA-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PE-2

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PE-3

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PE-4

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PE-5

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PE-6

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PE-7

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PE-8

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

 

CCF: Audit Log Summary
CCF: Physical Access Summary

PL-4

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PE-17

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PL-8

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PL-9

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PM-14

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Time Sync Error Summary

PM-6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PM-12

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PM-17

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PM-23

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

PM-26

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PS-4

CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PS-5

CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PS-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PS-8

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

RA-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

RA-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

RA-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SA-3

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary

SA-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SA-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SA-9

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SA-10

CCF: Abnormal Amount of Data Transferred
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Blacklisted Account Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SA-18

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SA-19

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SC-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SC-3

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SC-4

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SC-5

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Denial Of Service Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Denial Of Service Inv

CCF: Audit Log Summary

SC-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SC-8

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SC-10

NetMon

NetMon

NetMon

SC-13

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Use Of Non-Encrypted Protocols Summary

SC-16

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Time Sync Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Use Of Non-Encrypted Protocols Summary

SC-18

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SC-20

NetMon

NetMon

NetMon

SC-21

NetMon

NetMon

NetMon

SC-22

NetMon

NetMon

NetMon

SC-23

NetMon

NetMon

NetMon

SC-24

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SC-26

LogRhythm Honeypot Security Analytics Suite

LogRhythm Honeypot Security Analytics Suite

LogRhythm Honeypot Security Analytics Suite

SC-27

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Vulnerability Detected Summary

SC-28

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SC-31

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Vulnerability Detected Summary

SC-35

LogRhythm Honeypot Security Analytics Suite

LogRhythm Honeypot Security Analytics Suite

LogRhythm Honeypot Security Analytics Suite

SC-36

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SC-38

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SC-40

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary

SC-41

NetMon

 

 

SI-2

CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv

CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary

SI-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SI-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SI-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SI-6

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

SI-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

SI-8

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Password Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: Vulnerability Detected Summary

SI-10

 

 

 

SI-11

CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Time Sync Error Summary

SI-12

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Social Media Event

CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Social Media Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Social Media Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

SI-14

CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Security Event
CCF: Compromise Detected Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Compromises Detected Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: Vulnerability Detected Summary

SI-15

NetMon

NetMon

NetMon

SI-16

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Social Media Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Social Media Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

SI-17

CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Time Sync Error Summary

SI-18

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

SI-19

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

NIST 800-171

Control

AIE Rules & Alarms

Investigations

Reports

3.1.1

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.1.5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.8

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.10

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.12

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.1.13

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Use Of Non-Encrypted Protocols Summary

3.1.14

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.15

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.16

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.17

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.18

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.19

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.20

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.1.21

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary

3.3.1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.3.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.3.3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.3.4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.3.5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.3.6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.3.7

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Modified
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Time Sync Error Summary

3.3.8

CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

3.3.9

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.4.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.4.3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.4.6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.5.1

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.5.2

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.5.3

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.5.10

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Audit Log Summary
CCF: Use Of Non-Encrypted Protocols Summary

3.6.1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.6.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.6.3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.7.1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.7.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.7.6

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.8.1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.8.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.8.5

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.8.7

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

3.8.8

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

3.8.9

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Physical Access Summary
CCF: Time Sync Error Summary

3.9.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.10.1

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.10.2

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.10.3

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.10.4

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.10.5

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

3.13.1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.13.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.13.4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.13.8

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Social Media Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Social Media Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.13.15

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.13.16

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.14.1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.14.2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.14.3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.14.4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

3.14.6

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

3.14.7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

NIST CCF

Control

AIE Rules & Alarms

Investigations

Reports

ID.AM-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: Vulnerability Detected Summary

ID.AM-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

ID.RA-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

ID.SC-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

ID.SC-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PR.AC-1

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.AC-2

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm

CCF: Audit Log Inv
CCF: Physical Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Physical Access Summary

PR.AC-3

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.AC-4

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.AC-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Uninstall Rule
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: Vulnerability Detected Summary

PR.AC-6

CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.AC-7

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.DS-1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.DS-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.DS-3

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Software Install Rule
CCF: Software Uninstall Rule

CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv

CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary

PR.DS-4

CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: Time Sync Error Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Critical Environment Error Summary
CCF: Time Sync Error Summary

PR.DS-5

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PR.DS-6

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Time Sync Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Use Of Non-Encrypted Protocols Summary

PR.DS-8

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.IP-1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.IP-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.IP-4

CCF: Abnormal Amount of Data Transferred
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Backup Failure Alarm
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Time Sync Error Alarm

CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Critical Environment Error Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Physical Access Inv
CCF: Time Sync Error Inv
CCF: User Object Access Inv

CCF: Excessive Authentication Failure Inv

CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Physical Access Summary
CCF: User Object Access Summary

PR.IP-6

CCF: Abnormal Amount of Data Transferred
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Non-Encrypted Protocol Alarm

CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Audit Log Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary

PR.IP-9

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PR.MA-1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.MA-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.PT-1

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Backup Failure Alarm
CCF: Backup Information
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Compromise Detected Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alarm
CCF: Distributed Brute Force
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: External Brute Force Auths
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Malware Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Vulnerability Detected Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Denial Of Service Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Time Sync Error Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Vulnerability Detected Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary

PR.PT-2

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical Event After Attack
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Misuse
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected Wireless Attack Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Term Account Activity Summary
CCF: Top Suspicious Users
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.PT-3

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Critical/PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: Critical/PRD Envir Signature Failure Alarm
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Social Media Event
CCF: Software Install Rule
CCF: Software Install Fail Alarm
CCF: Software Uninstall Rule
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Windows RunAs Privilege Escalation

CCF: Account Modification Inv
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Deleted Account Inv
CCF: Disabled Account Inv
CCF: Enabled Account Inv
CCF: Excessive Authentication Failure Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Signature Activity Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv

CCF: Access Failure Summary
CCF: Access Success Summary
CCF: Account Deleted Summary
CCF: Account Disabled Summary
CCF: Account Enabled Summary
CCF: Account Modification Summary
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Auth Success Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Host Access Granted And Revoked Detail
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Signature Activity Summary
CCF: Term Account Activity Summary
CCF: Unknown User Account Detail
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Object Access Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary

PR.PT-4

CCF: Abnormal Amount of Data Transferred
CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Audit Log Cleared Alarm
CCF: Audit Logging Stopped Alarm
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Blacklist Location Auth
CCF: Blacklisted Account Alarm
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Disabled Account Auth Success
CCF: Early TLS/SSL Alarm
CCF: Excessive Authentication Failure Rule
CCF: Failed Audit Log Write Alarm
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM Delete Activity Alarm
CCF: FIM General Activity
CCF: FIM Information
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Large Outbound Transfer
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Multiple Account Passwords Modified by Admin
CCF: Non-Encrypted Protocol Alarm
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Rogue Access Point Alarm
CCF: Social Media Event
CCF: Suspected W